I wanted to provide a quick update on this issue.

After reviewing the results of the audit script, we have stumbled upon what we _think_ is a possible cause of the truncated Token Cache. It appears the users throwing this error are members of one or more AD group containing references to Foreign Security Principals (FSPs). More specifically, the users throwing the error appear twice; once with their "real" migrated account and once with their FSP from the Trusted Domain.

We are still working through the literally thousands are groups to remove these references but early testing is showing a positive result.

... and of course, the person responsible for this mess is no longer with us to help clean up.

#bad_words

All indications point to the use of the Quest Tools to migrate accounts as the cause.

Also, cleaning up the group membership is step one. I still have to hack the registry and manually kill the Kixtart Token Cache. Running Kix with /F does not flush the cache on a machine that is broken.